Thanks a lot for the reply. Worked great. Sorry for my late reply, I was away for a few weeks.
Daniel Cid wrote: > Hi Steve, > > A simple way to ignore these logs is with the following rule: > > <rule id="100101" level="0"> > <if_sid>1002</if_sid> > <program_name>^sshd</program_name> > <match>error: channel_setup_fwd_listener|error: bind: Address > already in</match> > <description>SSHD events ignored</description> > </rule> > > Just add it to your local_rule.xml (under the "group" section) and > restart ossec. > > Hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On 6/26/07, Steve Johnson <[EMAIL PROTECTED]> wrote: >> >> Hi, >> >> Thanks a lot for the offers. There are 2 messages that are generated >> when that happens. Here's an example of the messages below: >> >> sshd[25624]: error: channel_setup_fwd_listener: cannot listen to port: >> sshd[25624]: error: bind: Address already in use >> >> The only thing that changes is the PID of the SSHd. >> >> Thanks again, >> Steve Johnson >> >> Daniel Cid wrote: >> > Hi Steve, >> > >> > A lot of people have problems finding stuff on our wiki, but we >> plan to keep >> > improving it (and any help is welcome). As Michael said, you can >> send the log >> > entries to the list so we can help you out or you use the following >> documents >> > from our FAQ: >> > >> > http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules >> > http://www.ossec.net/wiki/index.php/Know_How:CorrelateSnort >> > >> > Also, my presentation at AusCERT/Confidence can be of help too: >> > >> > http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf >> > >> > Hope it helps, >> > >> > -- >> > Daniel B. Cid >> > dcid ( at ) ossec.net >> > >> > >> > >> > On 6/21/07, Steve Johnson <[EMAIL PROTECTED]> wrote: >> > >> >> Hi, >> >> >> >> There is a syslog message that triggers rule 1002 for syslog, >> which is >> >> about alerting on certain keyword. The message happens when we try to >> >> set an ssh tunnel when the port has already been used by someone else >> >> and has the keyword "error" generated by sshd. I don't want to remove >> >> the keyword from rule 1002 or even less ignore the rule >> completely, but >> >> I was wondering if there was a way to whitelist certain specific >> syslog >> >> messages? I could not find the information in the wiki, so I hope I >> >> didn't just overlook it :-) >> >> >> >> Thanks, >> >> Steve Johnson >> >> >> >> >> >>
